50 ISPs harbor half of all infected machines worldwide

As the classic method of combating botnets by taking down command and control centers has proven pretty much ineffective in the long run, there has been lots of talk lately about new stratagems that could bring about the desired result.

A group of researchers from the Delft University of Technology and Michigan State University have recently released an analysis of the role that ISPs could play in botnet mitigation – an analysis that led to interesting conclusions.

The often believed assumption that the presence of a high speed broadband connection is linked to the widespread presence of botnet infection in a country has been proven false.

The examination of some 190 billion spam messages from 170 million unique IP addresses captured between 2005 and 2009 led the researchers to conclude that the presence of piracy is a much more accurate indicator of the botnet infection rates tied to a specific country, and that higher education levels in a country are also conducive to a lower level of infection.

Another interesting result of this analysis is that ISPs of similar size located in the same country can have drastically different infection rates among its users, leading the researchers to conclude that some ISPs have adopted more effective practices against infection than others.

“The networks of just 50 ISPs account for around half of all infected machines worldwide,” say the researchers. “This is remarkable, in light of the tens of thousands of entities that can be attributed to the class of ISPs. The bulk of the infected machines are not located in the networks of obscure or rogue ISPs, but in those of established, well-known ISPs.”

That means that persuading just these 50 ISPs to begin implementing new, more efficient approaches for preventing and eradicating the infection could make a big dent into the botnet market.

“If the 50 ISPs we identified would ramp up their efforts, the problem might migrate elsewhere, say the researchers. “However, it is much more difficult to migrate a network of millions of infected machines than to migrate the C&C servers or other ancillary services.”